Need a little help with SSM and the registry.

Discussion in 'other anti-malware software' started by notageek, Apr 27, 2003.

Thread Status:
Not open for further replies.
  1. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    My wife was messing around on the computer and put a checkmark in the monitor register and she said that she clicked closed when the pop up popped up that has the red or green boxes (I know nothing about this cuz I never checked the box). She said it was red and I seen that red was to block. Now I ran Start up list and notice that McAfee VS wasn't there in the start up. Now when I restarted my computer McAfee VS starts. But the registry don't show that it starts up. Heres what the start up list says:

    StartupList report, 4/27/2003, 10:30:12 AM
    StartupList version: 1.52
    Started from : C:\unzipped\startuplist\StartupList.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\Smc.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
    C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\DllHost.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\unzipped\ssm\SysSafe.exe
    C:\unzipped\startuplist\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Digital Line Detect.lnk = ?

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    IgfxTray = C:\WINDOWS\System32\igfxtray.exe
    HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
    BCMSMMSG = BCMSMMSG.exe
    MessengerPlus2 = "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    SmcService = C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
    MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    FAST Defrag =
    McAfee.InstantUpdate.Monitor = "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Yahoo!\Common\ycomp5_1_3_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
    (no name) - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    (no name) - C:\PROGRA~1\AdShield\AdShield\AdShield.dll - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F}
    (no name) - c:\windows\googletoolbar_en_1.1.70-big.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    .job
    McAfee.com Scan for Viruses - My Computer (1) (COMPUTER-Me).job
    McAfee.com Scan for Viruses - My Computer (COMPUTER-Me).job

    --------------------------------------------------

    Enumerating Download Program Files:

    [BrowseFolderPopup Class]
    InProcServer32 = C:\WINDOWS\MCBin\Shared\MGBrwFld.dll
    CODEBASE = http://download.mcafee.com/molbin/Shared/MGBrwFld.cab

    [Yahoo! Audio Conferencing]
    InProcServer32 = C:\Program Files\Yahoo!\Messenger\yacscom.dll
    CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab

    [YInstStarter Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
    CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2003042101/housecall.antivirus.com/housecall/xscan53.cab

    [{8EDAD21C-3584-4E66-A8AB-EB0E5584767D}]
    CODEBASE = http://toolbar.google.com/data/GoogleActivate.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37676.669212963

    [YahooYMailTo Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ymmapi.dll
    CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi.dll

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 5,919 bytes
    Report generated in 0.234 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only

    See it don't show McAfee starting, but McAfee starts. Now isn't this odd? I think SSM has something to do with it. Is there a way to fix this?
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Notageek,

    Not familiar with McAfee but I found this on Pacs Portal:

    McAfeeVirusScanService
    Avsynmgr.exe
    From McAfee VirusScan version 5.x. Runs VirusScan System Tray (Vsstat.exe), WebScanX (Webscanx.exe), VirusScan System Scan (Vshwin32.exe) and VirusScan Console (Avconsol.exe) under one application

    Check your services to see if it starts from there. It will if my suspicion is right.

    Regards,

    Pieter
     
  3. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    Hi Pieter, McAfee still starts, it just show on Start up list that it's not in the registry. I just find this rather puzzling. I think my wife blocked it somehow with SSM. I just wanted to put it back in the registry as a start up. Could JV16 do this?
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Notageek,

    Startuplist doesn´t show the Services that start up.
    Could you post a Autostart Viewer log.
    Download and run the program: Click Main > Show Services > Main > Save to create the .txt file.
    Or do you have a Startuplist from before?
    So I can see what´s missing.
    Like I said I´m not familiar with McAfee, and I don´t want it on my conscience to cripple your protection.
    JV16 will be of little help when you want to add something to the registry, unless it concerns restoring entries removed by JV16.

    Regards,

    Pieter
     
  5. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Me@COMPUTER, 04-27-2003
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32
    onfig.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\wininit.ini [rename]
    NUL=C:\WINDOWS\System32\winlnet.dllEMPOR~1\Content.IE5\index.dat
    NUL=C:\WINDOWS\downlo~1\ymsgrins.exe
    HKCR\vbsfile\shell\open
    ommand\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open
    ommand\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open
    ommand\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open
    ommand\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open
    ommand\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open
    ommand\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IgfxTray
    C:\WINDOWS\System32\igfxtray.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HotKeysCmds
    C:\WINDOWS\System32\hkcmd.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BCMSMMSG
    C:\WINDOWS\BCMSMMSG.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MessengerPlus2
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SmcService
    C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\McAfee.InstantUpdate.Monitor
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Avsynmgr.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (1) (COMPUTER-Me).job
    c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
    C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (COMPUTER-Me).job
    c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
    C:\Program Files\Digital Line Detect\DLG.exe
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW
    mdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\System32\CSLSP.DLL
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINDOWS\system32\JAVASUP.VXD
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Avsynmgr.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

    It´s there allright. We´ll need some input from someone using McAfee to see if that is enough.

    Is using System Restore an option? Just to make sure.

    Regards,

    Pieter
     
  7. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    I have System restore ready to go if I have to use it. But I went to Cyber help forum and they said it wasn't loading from looking at Stratup list. I looked at ASveiwer and it showed it.
     
Loading...
Thread Status:
Not open for further replies.